Hacker breaks into Barracuda Networks database

Robert McMillan |
April 11, 2011

A hacker has broken into a Barracuda Networks database.

FRAMINGHAM, 11 APRIL 2011 - A hacker has broken into a Barracuda Networks database and obtained names and e-mail addresses of some of the security company's employees, channel partners and sales leads.

The hacker, who called himself Fdf, posted proof of his attack to the Web on Monday, showing e-mail addresses of company employees and names, e-mail addresses, company affiliations and phone numbers of sales leads registered by the company's channel partners.

The attack started Saturday night and was launched at a time when the Barracuda Web Application Firewall that was supposed to protect the site had been taken offline for maintenance, Barracuda said Monday. After a couple of hours of probing, the hacker found an SQL injection flaw -- a common Web programming error -- on a script used to display write-ups of customer case studies. That one mistake got him into a database that the company used for its marketing program and sales lead development.

Barracuda does not store financial information in that database, the company said.

Although it's embarrassing when security companies get hacked, it happens a lot.

Last month EMC's RSA group said that someone had broken into its networks and obtained information that could compromise its SecurID products. In February security consultancy HBGary Federal was broken into, with tens of thousands of the company's e-mail messages posted online.

Other than noting that he used an SQL injection technique, Fdf didn't say much about the attack in his Web posting, but he did give a shout out to some of his friends and "all Malaysian hackers." News of the incident was first reported Monday by The Register.